EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution

2017-06-04T00:00:00
ID ZSL-2017-5413
Type zeroscience
Reporter Gjoko Krstic
Modified 2017-06-04T00:00:00

Description

Title: EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
Advisory ID: ZSL-2017-5413
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 04.06.2017

Summary

With the EnGenius IoT Gigabit Routers and free EnShare app, use your iPhone, iPad or Android-based tablet or smartphone to transfer video, music and other files to and from a router-attached USB hard drive. Enshare is a USB media storage sharing application that enables access to files remotely. The EnShare feature allows you to access media content stored on a USB hard drive connected to the router's USB port in the home and when you are away from home when you have access to the Internet. By default the EnShare feature is enabled.

Description

EnGenius EnShare suffers from an unauthenticated command injection vulnerability. An attacker can inject and execute arbitrary code as the root user via the 'path' GET/POST parameter parsed by 'usbinteract.cgi' script.

Vendor

EnGenius Technologies Inc. - <https://www.engeniustech.com>

Affected Version

ESR300 (1.4.9, 1.4.7, 1.4.2, 1.4.1.28, 1.4.0, 1.3.1.42, 1.1.0.28)
ESR350 (1.4.11, 1.4.9, 1.4.5, 1.4.2, 1.4.0, 1.3.1.41, 1.1.0.29)
ESR600 (1.4.11, 1.4.9, 1.4.5, 1.4.3, 1.4.2, 1.4.1, 1.4.0.23, 1.3.1.63, 1.2.1.46, 1.1.0.50)
EPG5000 (1.3.9.21, 1.3.7.20, 1.3.3.17, 1.3.3, 1.3.2, 1.3.0, 1.2.0)
ESR900 (1.4.5, 1.4.3, 1.4.0, 1.3.5.18 build-12032015@liwei (5668b74), 1.3.1.26, 1.3.0, 1.2.2.23, 1.1.0)
ESR1200 (1.4.5, 1.4.3, 1.4.1, 1.3.1.34, 1.1.0)
ESR1750 (1.4.5, 1.4.3, 1.4.1, 1.4.0, 1.3.1.34, 1.3.0, 1.2.2.27, 1.1.0)

Tested On

Linux 2.6.36 (mips)
Embedded HTTP Server ,Firmware Version 5.11
lighttpd/1.4.31

Vendor Status

[17.05.2017] Vulnerability discovered.
[28.05.2017] Contact with the vendor.
[03.06.2017] No reply from the vendor.
[04.06.2017] Public security advisory released.
[21.06.2017] Vendor releases version EPG5000 1.3.014-30, ESR600 1-4-12-64 and ESR900 1.4.6 to address this issue.

PoC

enshare_rce.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/42114/>
[2] <https://packetstormsecurity.com/files/142792>
[3] <https://cxsecurity.com/issue/WLB-2017060050>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/127026>
[5] https://www.engeniusnetworks.eu/downloads?field_file_type_tid=27&title=ESR900
[6] https://www.engeniusnetworks.eu/downloads?field_file_type_tid=27&title=ESR600
[7] https://www.engeniusnetworks.eu/downloads?field_file_type_tid=27&title=EPG5000
[8] <http://www.vfocus.net/art/20170606/13644.html>

Changelog

[04.06.2017] - Initial release
[08.06.2017] - Added reference [1], [2] and [3]
[13.06.2017] - Added reference [4]
[22.06.2017] - Added vendor status and reference [5], [6] and [7]
[25.06.2017] - Added reference [8]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;